The onslaught of ransomware attacks by cybercriminals increases unabated every year, affecting everyone from mom and pop shops on Main Street to corporate lions of Wall Street.
Hackers infiltrate an organization's computer network through social engineering tactics like phishing emails or by exploiting network security weaknesses, allowing vital digital information to be hijacked and held for ransom.
If an offline backup of the information necessary to continue operation is not available, the targeted organization faces what could be a do-or-die decision.
Will the business survive during the time it takes to rebuild the computer network from scratch? In the case of a government entity, how long can constituents be deprived of critical services? Will the hackers publish proprietary or sensitive personal information if the ransom is not paid?
The fallout from an organization's inability to quickly restore operations and failure to protect sensitive information can range from confidence-shattering public outcry to years of litigation.
Significant disruption to business as usual from ransomware has been a serious threat for years. But it was not until the ransomware attacks on Colonial Pipeline Co. — one of the largest oil pipelines in the U.S. — and global meat processor JBS SA in the spring of 2021 that the very real threat of ransomware finally catapulted onto the national consciousness.
Ransomware attacks are not just a matter of organizational survival, but clearly a matter of national security.
The U.S. Department of the Treasury's Office of Foreign Assets Control specifically prohibits payments to certain bad actors, with violators subject to civil penalties. The FBI has consistently advised against paying a ransom in part because doing so does not guarantee recovery of hijacked data.
These warnings represent a general U.S. government policy against payments to extortionists. Enter the debate about the role of paying ransoms in the increasing number of serious ransomware attacks.
In an effort to stem the tide of attacks, state governments began looking at taking things a step beyond warnings alone. This year, North Carolina became the first state to outright prohibit the public sector from making a ransom payment.
The new law affects all state and local government officials and entities across the board, no matter how large, small or essential the service. State policymakers believe the prohibition will send a message to cybercriminals to stop targeting North Carolina.
Pennsylvania lawmakers are considering a similar bill that would only allow ransom payments if authorized by the governor. A proposed New York Senate bill would extend the ban to private businesses and health care.
Whether these measures will be effective is currently unknown. On the surface, the proposition that ransom payments increase ransomware attacks seems reasonable. As a stand-alone solution, however, it vastly underestimates the breadth and complexity of the ransomware problem as it currently exists.
One thing is clear: If adequate cybersecurity measures are not in place, the disruptions from ransomware will continue whether payment is prohibited or not.
For many small local governments in particular, inadequate cybersecurity is not from a lack of political will, but a lack of funds. So far, only the New York proposal includes a companion bill that would provide funds for local governments to upgrade their network security.
These state initiatives bring into sharp relief the simple truth that adequate cybersecurity measures and cyber due diligence are the best defenses to ransomware attacks and should be a top priority in any organization. Without it, banning ransom payments is the proverbial cart before the horse.
Recommended best practices for cybersecurity are widely available, including guidance from the Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing and Analysis Center. Among the most important:
Back Up, Back Up, Back Up
An offline backup of critical data is one of the best lines of defense to avoid the disruption of a ransomware attack. Because an alternative method of restoring data is available, the ransom payment dilemma disappears rather than your data. Consistent updating and testing of your backup data is also important.
Plan, Plan, Plan
Institute a simple protocol for responding to ransomware attacks and other potential cyberbreaches.
Train, Train, Train
Educate personnel about the response procedures and conduct regular training on how to recognize and flag phishing emails and other suspect situations that provide an entry point for a ransomware invasion.
Check, Check, Check
Employ information technology professionals to check for and remedy computer network system weaknesses on a routine basis to ensure that all available security measures and updates are implemented, including for remote network access.
Where payment of a ransom is not prohibited, insurance coverage for ransomware attacks, including ransom payments, is available in many cyberpolicies and some crime policies.
While the market for cyberinsurance has tightened in recent years, generally requiring higher premiums for lower limits of liability, a comprehensive cyberpolicy remains an important tool for mitigating cyber risk.
For example, whether a ransom is paid or not, the organization must identify and fix the vulnerability that permitted the ransomware to hijack data in the first place. This typically involves paying an outside expert to conduct a forensic audit of the computer network.
There are many other potentially costly repercussions from cyber incidents, such as federal and state privacy laws that require notification of individuals whose personal data may have been compromised and potential legal liability for the consequences of a cyberbreach.
The need for robust defenses against a ransomware attack has never been greater. The cybercrime landscape is ever-changing and increasingly sophisticated.
Prohibitions on ransom payments and other public policy measures may become a part of the solution, but they will only work if basic cyber defenses are already in place.
Until cybersecurity measures uniformly become standard procedure, too many organizations will continue to be an easy target.
Republished with permission. This article, "Cybersecurity Basics Are Key to Combating Ransomware," was published by Law360 on June 29, 2022.
 N.C.G.S. 143-800.
 N.Y. State Senate Bill S6806A. https://www.nysenate.gov/legislation/bills/2021/s6806#:~:text=S6806%20%2D%20Summary,cyber%20ransom%20or%20ransomware%20attack.